14 DAY TRIAL // In the April 2012 Critical Patch Update (CPU) released by Oracle, the company claimed to have addressed a TNS Listener issue that had affected the Oracle Database since 2008. However, the researcher who uncovered the flaw has learned that the patch is only applied to future variants of the application and not to existing ones.
After the CPU was made available by Oracle, the security expert that discovered the vulnerability, Joxean Koret, made an advisory and a proof of concept to show how it could have been exploited.
Much to his surprise, a statement from Oracle mentioned that the flaw was fixed only in future releases of the product.
“There is no patch at all for this vulnerability and Oracle refuses to write a patch for *ANY* existing versions, even for Oracle 11g R2. So, yes, ALL versions are vulnerable and will remain vulnerable,” Koret said.
He exchanged a few emails with the company’s representatives only to learn that the nature of the security hole would not allow them to fix it in the current versions because it was “very complex”, “risky to backport” and in the “sensitive part of the code.”
Threat Post spoke to Alex Rothacker of Team SHATTER, who revealed that the flaw allows an attacker to intercept traffic between the client and the database, such as in a man-in-the-middle scenario.
“The attacker can also hijack the connection and inject arbitrary commands or queries and execute them with the privileges of the authenticated user, in short if the attacker intercepts a DBA connection, it’s game over and the attacker owns the database,” Rothacker explained.
The expert recommends Oracle Database customers to “disable remote registration in the TNS Listener by setting ‘dynamic_registration = off’ in the listener.ora file,” or to use valid node checking.
However, the first variant doesn’t work with RAC and the second can’t be considered to be bulletproof.